Cloud-based solutions in GxP Environment: which one to adopt?

Cloud-Based Solutions in GXP environment

Following the Paperless Lab Academy® 2022 in India, we are pleased to present this summary of our “Compliance Track” keynote speaker. Ms Neeru Bakshi, Founder of Tech Qualitas, has agreed to summarise her presentation on demystifying cloud-based solutions in the GxP environment.

Cloud solutions have come of age and have enormous potential, offering resilience, security and scalability – all quickly and at low cost for implementation and maintenance. Leading pharmaceutical and life sciences companies are discovering the potential of the cloud by enabling analytics, shortening innovation cycles and standardising processes across global operations, among other benefits. During the pandemic COVID, cloud technology enabled pharmaceutical companies to deliver the COVID -19 vaccine in less time because it does not need to be reinvented and can fly indefinitely.

Although there is widespread belief in the value of the cloud, there is often a lack of clear understanding of how to maintain a validated and controlled state of cloud solutions by solution providers and users (pharma and life sciences companies). This leads to misguided strategies and incorrect implementation or too much validation and documentation; sometimes repeating everything the cloud solution provider has already executed.

Selecting the right cloud deployment model can be challenging when considering the various regulations and standards that apply to the GxP environment, such as 21 CFR Part11, EU Annex11 GDPR, PCI DSS, HIPAA, ISO and many more. The following are the available cloud deployment models that can be used in the GxP environment depending on the risk, complexity, and size of the computer systems.

Cloud-based solutions in GxP Environment: one solution for every need

Public Cloud Deployment

These deployments are hosted on public servers that are available over the internet. The cloud service provider maintains and manages all available resources in the cloud. Therefore, companies that opt for a public cloud do not have to make large investments in hardware and software and do not need to hire additional staff to manage them.

The disadvantages are data security and privacy concerns and reliability issues, as the same server network is open to a large number of users, as is the case with public cloud services used on a daily basis, such as email services.

Private Cloud Deployment

These deployments include hosting the cloud infrastructure on-site or in a cloud service provider’s data centre. In-house staff maintain and manage all available resources in the cloud. Companies must have technical staff on hand to deal with any issues that arise during the operation of the private cloud. This model allows the cloud services to be integrated into the company’s infrastructure. This model offers more control, customisation options and high security.

The disadvantage is the cost of keeping qualified personnel as well as infrastructure costs.

Hybrid Cloud Deployment

These deployments combine public and private clouds. Here, the company uses the public cloud but also has its own systems on site and creates a connection between the two. They work as one system. This is helpful when costs and security need to be managed efficiently, as it allows the requirements of a private cloud to be combined with the benefits of a public cloud. This allows local applications with sensitive data to run in parallel with public cloud applications.

The disadvantage can be the cost impact if the right services are not selected in this model and if the separation of public and private data is not done following correctly security, compliance and auditing requirements.

Community Cloud Deployment

These implementations involve the sharing of infrastructure between multiple groups/organisations. Data is still segmented and kept private except in areas where shared access has been agreed and configured. Organisations that have unified business needs choose to join the community cloud, e.g. government organisations, universities, etc. It enables cost-effective collaboration with the establishment of a low-cost private cloud.

The disadvantage is that security and segregation of data can be difficult to ensure.

Having gained a full overview of the cloud-based solutions that could be deployed in a GxP environment, what steps are recommended to manage the cloud service provider’s compliance?

  • Cloud Service Provider assessment, evaluation & audit
  • Supplier procedural requirements for
    • Data Migration
    • Incident Management & Disaster Recovery Plan
    • Data Retention and archiving
    • Infrastructure Maintenance
    • Change Management
    • Release Management
    • Access Management
    • Customer Support
  • Leveraging Validation/ Qualification performed by Supplier
  • Continuous monitoring and assessment of Cloud Service Provider
  • Robust business contractual agreement on services & quality of cloud service provider with listed recommended inclusions:
    • Prior notices for scheduled maintenance down time
    • 45-60 days prior notice before Major/Medium release in the Production after validation completion in the validation environment. This can be used by the regulated organizations to perform testing and validation of the new version of cloud solution before the new version is released to the “Production” environment
    • Customer support 24h, 7 days a week
    • Supplier must ensure backup/restore/Disaster Recovery of data
    • Data transfer/access compliant with GDPR and other applicable local regulatory requirements
    • Data removal upon termination of contract
    • Supplier’s confidentiality obligations, Data Protection, Subcontracting, Audits

Validation of Software as a Service (SaaS) on Cloud

When using validated SaaS (Software as a Service) in the cloud, a risk-based approach must be taken. These solutions are also referred to as pre-validated SaaS. Organisations can perform minimum validation approach to using pre-validated SaaS in a number of ways, depending on their internal business processes and the regulatory requirements they need to comply with. The table lists the recommended validation steps that should be followed when using pre-validated SaaS as-is (GAMP category 3) or with additional workflow and configuration changes (GAMP category 4).


Neeru Bakshi TechQualitasMrs Neeru Bakshi, Founder  at Tech Qualitas

Regulatory and technical software is nothing without a team of data and science experts at its core. Neeru is one of those ultra-valuable veteran data experts that digs into the nitty gritty of regulations, guidelines, and systems and makes sure the organization is up to date and on track with any new technical developments in QA, validation or any other industry standards.
Neeru Bakshi has more than with 20 years’ experience in the pharmaceutical and Life Sciences domain. She worked as Validation/QA Lead, Project Manager/Lead, and as Business Analyst for various cloud solutions and systems such as Oracle Life Sciences Applications for Clinical Trails, SAP, GLP systems, Electronic Submissions, Pharmacovigilance Systems.
Neeru is well versed in regulatory standards and guidelines; 21 CFR Part 11, Computer System Used in Clinical Trials, GAMP5 guidelines, EudraLex Volume 4 Annex11 along with knowledge of European data protection laws and practices and understanding of the GDPR. She has experience and interest executing harmonization, development and implementation of Global Quality and IT/CSV Policies/ SOP’s/ Guidelines across the organization level. She also has experience in the pharmaceutical industry audits of validated computer systems, and supporting clients in such pharmaceutical industry audits, whether they be internal audits, sponsor-driven audits, or regulatory agency audits.

Techqualitas logo PaperlessTech Qualitas is a quality-driven service partner focused on risk minimization. Our team have more than 40 years of experience handling complex projects at different scales. We are serving the pharmaceutical, biotech, medical device, and CRO companies by providing compliant outsourced services, validation technology solutions support and development that improve performance, data integrity & privacy controls, and compliance. Tech Qualitas experts have thorough understanding on Computer System Validation, Auditing Services, Sterilization Process Validation, Pharmaceutical Microbiology and Contamination Control, QMS Designing and Consultancy services, SaaS validation for service provider and customer, and many other compliance services.




Latest Posts

Key Topics of the PLA2024India

PLA2024India, 5th edition, promises a programme full of interactions and discussions The main theme of #PLA2024India is Collaboration and Innovation f

Read More

14 May 2024

Press Release: PLA® Conferences to partner with IA-Meetings for its 5th Indian Edition.

The Paperless Lab Academy® (PLA) is a leading conference about digital transformation of laboratory and quality processes. Above all, it is about mas

Read More

08 April 2024

Takeaways from PLA2024Europe

The #PLA2024Europe programme aimed to highlight the importance of the human factor in digital transformation with several presentations and panel disc

Read More

19 March 2024